You've signed up for a VPN service, installed the app, and hit the connect button. A green icon tells you everything is secure. But is it really? After more than 20 years working in IT and network administration, I can tell you that trusting a status icon without verification is one of the most common mistakes people make with their online privacy. A VPN that appears connected but is leaking your real IP address is arguably worse than no VPN at all โ it gives you a false sense of security while your actual location and identity remain exposed.
In this guide, I'll walk you through the practical steps to verify your VPN is doing what it promises: hiding your real IP address, encrypting your DNS queries, and preventing browser-level leaks that can reveal your true identity.
Understanding What a VPN Should Do
Before testing, it helps to understand what a properly functioning VPN actually does to your network traffic. When you connect to a VPN, your device creates an encrypted tunnel to a server operated by your VPN provider. All of your internet traffic is routed through this tunnel, and websites you visit see the VPN server's IP address instead of your own. Your Internet Service Provider (ISP) can see that you're connected to a VPN, but they can't see what you're doing or which websites you're visiting.
A properly functioning VPN should accomplish three things: it should replace your public IP address with the VPN server's address, it should encrypt your DNS queries so your ISP can't see which domains you're resolving, and it should prevent any browser-level protocols from leaking your real IP address outside of the encrypted tunnel.
When any of these three protections fail, your VPN has a "leak" โ and that's exactly what we're going to test for.
Step 1: Record Your Real IP Address
Before you even connect your VPN, you need to know your actual public IP address. This gives you a baseline to compare against once the VPN is active. Visit IP Lobster with your VPN disconnected and note down the IP address displayed. Pay attention to the full address, the hostname, and the general location information shown.
Write this down or take a screenshot. You'll need it for comparison in the next steps. This is your real IP address โ the one assigned by your ISP, and the one your VPN should be hiding.
Step 2: Connect Your VPN and Check Your IP Again
Now connect to your VPN and choose a server, preferably in a different country or region from your actual location. This makes it easier to confirm the VPN is working because the geographic difference will be obvious. Wait about 10โ15 seconds after the VPN shows as connected to give the tunnel time to fully establish.
Visit IP Lobster again and check your IP address. You should see a completely different IP address from the one you recorded in Step 1. The hostname should reflect the VPN provider's infrastructure, and any geolocation data should show the region of the VPN server you selected, not your actual location.
If you still see your original IP address after connecting, something is wrong. The most common causes are that the VPN connection failed silently, your system is routing traffic outside the tunnel due to a split tunneling configuration, or your firewall is interfering with the VPN connection. Try disconnecting and reconnecting, or switching to a different VPN server.
Step 3: Test for DNS Leaks
This is where many VPN users get tripped up. Even if your IP address appears to change, your DNS queries might still be going through your ISP's servers rather than through the VPN tunnel. DNS (Domain Name System) is the protocol that translates domain names like "iplobster.com" into IP addresses your computer can connect to. Every website you visit starts with a DNS query, so if those queries are leaking, your ISP has a complete log of every site you visit โ regardless of your VPN.
To test for DNS leaks, use a dedicated DNS leak test tool while your VPN is connected. The test works by making your browser resolve a series of unique domain names and then checking which DNS servers handled those requests. If the results show DNS servers belonging to your ISP rather than your VPN provider, you have a DNS leak.
You can also use IP Lobster's DNS Lookup tool to manually query a domain and observe which server responds. If your VPN is working properly, DNS resolution should be happening through the VPN provider's DNS servers or a third-party secure DNS provider, not through your local ISP.
Most quality VPN providers include DNS leak protection as a built-in feature, but it's not always enabled by default. Check your VPN app's settings for options labeled "DNS leak protection," "Use VPN DNS servers," or similar. On some operating systems, particularly Windows, the operating system may continue to use the system-configured DNS servers even when a VPN is active unless the VPN client explicitly overrides this behavior.
Step 4: Test for WebRTC Leaks
WebRTC (Web Real-Time Communication) is a browser technology that enables peer-to-peer communication for features like video calls and file sharing. The problem is that WebRTC can discover your real local and public IP addresses through a mechanism called STUN (Session Traversal Utilities for NAT), and it does this regardless of whether you're connected to a VPN.
This is a browser-level leak, not a VPN-level leak, which means your VPN provider can't fully prevent it. WebRTC leak testing tools will attempt to use this STUN mechanism and report back what IP addresses were discovered. If your real IP address shows up alongside or instead of the VPN server's address, you have a WebRTC leak.
To fix WebRTC leaks, you have several options depending on your browser. In Firefox, you can type about:config in the address bar, search for media.peerconnection.enabled, and set it to false. This completely disables WebRTC, which will break video calling features on websites but eliminates the leak entirely. In Chrome-based browsers, you'll need a browser extension to control WebRTC behavior, as Chrome doesn't provide a built-in toggle. Some VPN browser extensions also include WebRTC leak protection.
Step 5: Test for IPv6 Leaks
Many VPN services still only tunnel IPv4 traffic, leaving IPv6 traffic to travel outside the encrypted tunnel. If your ISP has assigned you an IPv6 address (which is increasingly common), websites that support IPv6 might see your real IPv6 address even while your IPv4 traffic is properly routed through the VPN.
Check whether your connection has an IPv6 address by visiting IP Lobster with your VPN disconnected. If an IPv6 address is shown, you'll want to verify it changes or disappears when your VPN is connected. If your real IPv6 address persists while connected, you have an IPv6 leak.
The simplest fix is to disable IPv6 on your operating system entirely, which forces all traffic over IPv4 and through the VPN tunnel. On Windows, you can do this in your network adapter properties by unchecking "Internet Protocol Version 6 (TCP/IPv6)." On Linux, you can add net.ipv6.conf.all.disable_ipv6 = 1 to your sysctl configuration. Many modern VPN clients also include an option to block or tunnel IPv6 traffic โ check your VPN app's settings.
Step 6: Verify Your Kill Switch
A kill switch is a VPN feature that blocks all internet traffic if the VPN connection drops unexpectedly. Without a kill switch, a momentary VPN disconnection could expose your real IP address to any websites or services you're connected to. This is especially important on unstable connections like public Wi-Fi.
To test your kill switch, connect to your VPN and start a continuous ping to a public server (like ping 8.8.8.8) in a terminal window. Then deliberately kill the VPN process โ not through the app's disconnect button, but by ending the process through your system's task manager. If the kill switch is working, the pings should immediately stop. If pings continue, your traffic is flowing outside the tunnel without protection.
Keep in mind that VPN kill switches come in two varieties: application-level kill switches that only block traffic from specific apps, and system-level kill switches that block all network traffic. A system-level kill switch provides much stronger protection.
When to Retest Your VPN
VPN verification isn't a one-time task. You should retest your VPN connection after any of the following events: operating system updates (which can reset network configurations), VPN app updates, switching between Wi-Fi and cellular connections, changing VPN servers, or after your device wakes from sleep. Network configuration changes at the OS level are one of the most common causes of VPN leaks, and they can happen silently during routine updates.
I'd also recommend doing a full test suite at least once a month, even if nothing has obviously changed. VPN providers sometimes update their server infrastructure, and what worked last month might behave differently today.
Quick Reference Checklist
To summarize, here's the complete VPN verification process: First, record your real IP address at IP Lobster before connecting. Second, connect your VPN and verify a different IP address is shown. Third, run a DNS leak test to ensure DNS queries go through the VPN tunnel. Fourth, check for WebRTC leaks and disable WebRTC if necessary. Fifth, verify no IPv6 leaks are exposing your real address. And finally, test your kill switch to ensure you're protected during unexpected disconnections.
Taking these steps gives you real confidence that your VPN is doing its job โ not just the false confidence of a green status icon. In a world where online privacy is increasingly important, verification is everything.